From 499387fc0d1cb5875d9b5866a5fd2782c6fb4c82 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 16 Apr 2020 15:38:30 +0000 Subject: [PATCH 1/6] util-linux: build libfdisk systemd's repart utility depends on libfdisk. Signed-off-by: Ben Cressey --- packages/util-linux/util-linux.spec | 41 ++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/packages/util-linux/util-linux.spec b/packages/util-linux/util-linux.spec index 943f766f010..6d7c99b4a17 100644 --- a/packages/util-linux/util-linux.spec +++ b/packages/util-linux/util-linux.spec @@ -37,6 +37,21 @@ Requires: %{_cross_os}libblkid %description -n %{_cross_os}libblkid-devel %{summary}. +%package -n %{_cross_os}libfdisk +Summary: Partition table library +License: LGPL-2.1-or-later + +%description -n %{_cross_os}libfdisk +%{summary}. + +%package -n %{_cross_os}libfdisk-devel +Summary: Files for development using the partition table library +License: LGPL-2.1-or-later +Requires: %{_cross_os}libfdisk + +%description -n %{_cross_os}libfdisk-devel +%{summary}. + %package -n %{_cross_os}libmount Summary: Device mounting library License: LGPL-2.1-or-later @@ -90,12 +105,12 @@ cp Documentation/licenses/COPYING.* . %build %cross_configure \ - --disable-libfdisk \ --disable-makeinstall-chown \ --disable-nls \ --disable-rpath \ --enable-all-programs \ --enable-libblkid \ + --enable-libfdisk \ --enable-libmount \ --enable-libsmartcols \ --enable-libuuid \ @@ -118,12 +133,14 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool # add attribution.txt files for lib subpackages that need them, since the # default macro only generates attribution.txt for the main package -for lib in lib{blkid,mount,smartcols,uuid}; do +for lib in lib{blkid,fdisk,mount,smartcols,uuid}; do mkdir -p %{buildroot}%{_cross_licensedir}/$lib echo "$lib - %{url}" >> %{buildroot}%{_cross_licensedir}/$lib/attribution.txt done -echo "SPDX-License-Identifier: LGPL-2.1-or-later" | tee -a %{buildroot}%{_cross_licensedir}/lib{blkid,mount,smartcols}/attribution.txt >/dev/null -echo "SPDX-License-Identifier: BSD-3-Clause" | tee -a %{buildroot}%{_cross_licensedir}/libuuid/attribution.txt +echo "SPDX-License-Identifier: LGPL-2.1-or-later" \ + | tee -a %{buildroot}%{_cross_licensedir}/lib{blkid,fdisk,mount,smartcols}/attribution.txt >/dev/null +echo "SPDX-License-Identifier: BSD-3-Clause" \ + | tee -a %{buildroot}%{_cross_licensedir}/libuuid/attribution.txt %files %license COPYING.BSD-3-Clause COPYING.BSD-4-Clause-UC COPYING.GPL-2.0-or-later COPYING.LGPL-2.1-or-later @@ -221,8 +238,10 @@ echo "SPDX-License-Identifier: BSD-3-Clause" | tee -a %{buildroot}%{_cross_licen %{_cross_sbindir}/switch_root %{_cross_sbindir}/wipefs %exclude %{_cross_sbindir}/hwclock +%exclude %{_cross_sbindir}/cfdisk %exclude %{_cross_sbindir}/ctrlaltdel %exclude %{_cross_sbindir}/fdformat +%exclude %{_cross_sbindir}/fdisk %exclude %{_cross_sbindir}/fsck.minix %exclude %{_cross_sbindir}/ldattach %exclude %{_cross_sbindir}/mkfs.bfs @@ -232,6 +251,7 @@ echo "SPDX-License-Identifier: BSD-3-Clause" | tee -a %{buildroot}%{_cross_licen %exclude %{_cross_sbindir}/readprofile %exclude %{_cross_sbindir}/rfkill %exclude %{_cross_sbindir}/rtcwake +%exclude %{_cross_sbindir}/sfdisk %exclude %{_cross_sbindir}/sulogin %exclude %{_cross_sbindir}/swaplabel %exclude %{_cross_sbindir}/swapoff @@ -259,6 +279,19 @@ echo "SPDX-License-Identifier: BSD-3-Clause" | tee -a %{buildroot}%{_cross_licen %{_cross_pkgconfigdir}/blkid.pc %exclude %{_cross_libdir}/libblkid.la +%files -n %{_cross_os}libfdisk +%license COPYING.LGPL-2.1-or-later +%{_licensedir}/libfdisk/attribution.txt +%{_cross_libdir}/libfdisk.so.* + +%files -n %{_cross_os}libfdisk-devel +%{_cross_libdir}/libfdisk.a +%{_cross_libdir}/libfdisk.so +%dir %{_cross_includedir}/libfdisk +%{_cross_includedir}/libfdisk/libfdisk.h +%{_cross_pkgconfigdir}/fdisk.pc +%exclude %{_cross_libdir}/libfdisk.la + %files -n %{_cross_os}libmount %license COPYING.LGPL-2.1-or-later %{_licensedir}/libmount/attribution.txt From 9064d5c0700a583c8da3ddac77b833f6de68054e Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Mon, 20 Apr 2020 21:41:37 +0000 Subject: [PATCH 2/6] util-linux: copy license files to each subpackage Applying the %license attribute to a file with a relative path causes it to be copied into a directory named for the parent package. By using an absolute path, we can arrange for subpackages to include their own copy of the corresponding license. Signed-off-by: Ben Cressey --- packages/util-linux/util-linux.spec | 42 ++++++++++++++++++----------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/packages/util-linux/util-linux.spec b/packages/util-linux/util-linux.spec index 6d7c99b4a17..29b3e8b95cf 100644 --- a/packages/util-linux/util-linux.spec +++ b/packages/util-linux/util-linux.spec @@ -134,13 +134,23 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool # add attribution.txt files for lib subpackages that need them, since the # default macro only generates attribution.txt for the main package for lib in lib{blkid,fdisk,mount,smartcols,uuid}; do - mkdir -p %{buildroot}%{_cross_licensedir}/$lib - echo "$lib - %{url}" >> %{buildroot}%{_cross_licensedir}/$lib/attribution.txt + mkdir -p %{buildroot}%{_cross_licensedir}/${lib} + echo "${lib} - %{url}" >> %{buildroot}%{_cross_licensedir}/${lib}/attribution.txt +done + +# most lib subpackages are LGPL-2.1-or-later +for lib in lib{blkid,fdisk,mount,smartcols}; do + echo "SPDX-License-Identifier: LGPL-2.1-or-later" \ + | tee -a %{buildroot}%{_cross_licensedir}/${lib}/attribution.txt >/dev/null + cp -a COPYING.LGPL-2.1-or-later %{buildroot}%{_cross_licensedir}/${lib} +done + +# libuuid is BSD-3-Clause +for lib in libuuid; do + echo "SPDX-License-Identifier: BSD-3-Clause" \ + | tee -a %{buildroot}%{_cross_licensedir}/${lib}/attribution.txt >/dev/null + cp -a COPYING.BSD-3-Clause %{buildroot}%{_cross_licensedir}/${lib} done -echo "SPDX-License-Identifier: LGPL-2.1-or-later" \ - | tee -a %{buildroot}%{_cross_licensedir}/lib{blkid,fdisk,mount,smartcols}/attribution.txt >/dev/null -echo "SPDX-License-Identifier: BSD-3-Clause" \ - | tee -a %{buildroot}%{_cross_licensedir}/libuuid/attribution.txt %files %license COPYING.BSD-3-Clause COPYING.BSD-4-Clause-UC COPYING.GPL-2.0-or-later COPYING.LGPL-2.1-or-later @@ -267,8 +277,8 @@ echo "SPDX-License-Identifier: BSD-3-Clause" \ %exclude %{_cross_mandir} %files -n %{_cross_os}libblkid -%license COPYING.LGPL-2.1-or-later -%{_licensedir}/libblkid/attribution.txt +%license %{_cross_licensedir}/libblkid/COPYING.LGPL-2.1-or-later +%license %{_cross_licensedir}/libblkid/attribution.txt %{_cross_libdir}/libblkid.so.* %files -n %{_cross_os}libblkid-devel @@ -280,8 +290,8 @@ echo "SPDX-License-Identifier: BSD-3-Clause" \ %exclude %{_cross_libdir}/libblkid.la %files -n %{_cross_os}libfdisk -%license COPYING.LGPL-2.1-or-later -%{_licensedir}/libfdisk/attribution.txt +%license %{_cross_licensedir}/libfdisk/COPYING.LGPL-2.1-or-later +%license %{_cross_licensedir}/libfdisk/attribution.txt %{_cross_libdir}/libfdisk.so.* %files -n %{_cross_os}libfdisk-devel @@ -293,8 +303,8 @@ echo "SPDX-License-Identifier: BSD-3-Clause" \ %exclude %{_cross_libdir}/libfdisk.la %files -n %{_cross_os}libmount -%license COPYING.LGPL-2.1-or-later -%{_licensedir}/libmount/attribution.txt +%license %{_cross_licensedir}/libmount/COPYING.LGPL-2.1-or-later +%license %{_cross_licensedir}/libmount/attribution.txt %{_cross_libdir}/libmount.so.* %files -n %{_cross_os}libmount-devel @@ -306,8 +316,8 @@ echo "SPDX-License-Identifier: BSD-3-Clause" \ %exclude %{_cross_libdir}/libmount.la %files -n %{_cross_os}libsmartcols -%license COPYING.LGPL-2.1-or-later -%{_licensedir}/libsmartcols/attribution.txt +%license %{_cross_licensedir}/libsmartcols/COPYING.LGPL-2.1-or-later +%license %{_cross_licensedir}/libsmartcols/attribution.txt %{_cross_libdir}/libsmartcols.so.* %files -n %{_cross_os}libsmartcols-devel @@ -319,8 +329,8 @@ echo "SPDX-License-Identifier: BSD-3-Clause" \ %exclude %{_cross_libdir}/libsmartcols.la %files -n %{_cross_os}libuuid -%license COPYING.BSD-3-Clause -%{_licensedir}/libuuid/attribution.txt +%license %{_cross_licensedir}/libuuid/COPYING.BSD-3-Clause +%license %{_cross_licensedir}/libuuid/attribution.txt %{_cross_libdir}/libuuid.so.* %files -n %{_cross_os}libuuid-devel From 5062d5cfe04741af7f6e93f9721afc494f6a5a2c Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Wed, 15 Apr 2020 19:06:00 +0000 Subject: [PATCH 3/6] systemd: update to 245 This syncs the build options with changes between 240 and 245. We also enable the repart tool and its dependencies. Although repart only supports the root device today, it could be useful when we add support for an initrd, or when we have variants with only one block device. Signed-off-by: Ben Cressey --- ...-stateful-paths-to-ephemeral-storage.patch | 4 +- ...-not-create-unused-state-directories.patch | 10 +- ...se-absolute-path-for-var-run-symlink.patch | 4 +- ...separate-timeout-for-system-shutdown.patch | 12 +- .../9005-repart-always-use-random-UUIDs.patch | 178 ++++++++++++++++++ packages/systemd/Cargo.toml | 4 +- packages/systemd/systemd.spec | 21 ++- 7 files changed, 214 insertions(+), 19 deletions(-) create mode 100644 packages/systemd/9005-repart-always-use-random-UUIDs.patch diff --git a/packages/systemd/9001-move-stateful-paths-to-ephemeral-storage.patch b/packages/systemd/9001-move-stateful-paths-to-ephemeral-storage.patch index 4a0b80d5e15..da6c24a7367 100644 --- a/packages/systemd/9001-move-stateful-paths-to-ephemeral-storage.patch +++ b/packages/systemd/9001-move-stateful-paths-to-ephemeral-storage.patch @@ -1,7 +1,7 @@ -From 8862df96457fa790bb2dea414f89d1fe0a704716 Mon Sep 17 00:00:00 2001 +From 4f14d52fb6951f3870bfbe6789471cd75a87c341 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sun, 15 Sep 2019 00:21:26 +0000 -Subject: [PATCH 9001/9004] move stateful paths to ephemeral storage +Subject: [PATCH 9001/9005] move stateful paths to ephemeral storage We reserve most of /var for persistent local storage controlled by the administrator, and want to avoid depending on it for our own diff --git a/packages/systemd/9002-do-not-create-unused-state-directories.patch b/packages/systemd/9002-do-not-create-unused-state-directories.patch index 46d8eaa9fb5..9db65887ef9 100644 --- a/packages/systemd/9002-do-not-create-unused-state-directories.patch +++ b/packages/systemd/9002-do-not-create-unused-state-directories.patch @@ -1,7 +1,7 @@ -From 1b3b7345d19a7877026690ef05852dbb4fb0efe8 Mon Sep 17 00:00:00 2001 +From 8711db616a17523abcea9615c56233c68cf6a1e5 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Sun, 15 Sep 2019 00:51:25 +0000 -Subject: [PATCH 9002/9004] do not create unused state directories +Subject: [PATCH 9002/9005] do not create unused state directories We do not use the coredump handler, and the private directories have been relocated to `/run`. @@ -12,11 +12,11 @@ Signed-off-by: Ben Cressey 1 file changed, 7 deletions(-) diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4 -index 9c57d3b..30a9bd9 100644 +index 11d87d2..c8fb51a 100644 --- a/tmpfiles.d/systemd.conf.m4 +++ b/tmpfiles.d/systemd.conf.m4 -@@ -70,10 +70,3 @@ a+ /var/log/journal/%m - - - - d:group:wheel:r-x - a+ /var/log/journal/%m - - - - group:wheel:r-x +@@ -65,10 +65,3 @@ a+ /var/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:w + a+ /var/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x a+ /var/log/journal/%m/system.journal - - - - group:wheel:r-- '')')')m4_dnl - diff --git a/packages/systemd/9003-use-absolute-path-for-var-run-symlink.patch b/packages/systemd/9003-use-absolute-path-for-var-run-symlink.patch index bdceb36675e..a4e995deff5 100644 --- a/packages/systemd/9003-use-absolute-path-for-var-run-symlink.patch +++ b/packages/systemd/9003-use-absolute-path-for-var-run-symlink.patch @@ -1,7 +1,7 @@ -From 6c298326187075878688ac06f7d99e5b9822aaec Mon Sep 17 00:00:00 2001 +From 3cb32d73e064c2f5a6fde71c279b0cfe99e1c6ec Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Tue, 17 Sep 2019 01:35:51 +0000 -Subject: [PATCH 9003/9004] use absolute path for /var/run symlink +Subject: [PATCH 9003/9005] use absolute path for /var/run symlink Otherwise the symlink may be broken if /var is a bind mount from somewhere else. diff --git a/packages/systemd/9004-core-add-separate-timeout-for-system-shutdown.patch b/packages/systemd/9004-core-add-separate-timeout-for-system-shutdown.patch index 05d0dd8d5c1..ad06001bdf3 100644 --- a/packages/systemd/9004-core-add-separate-timeout-for-system-shutdown.patch +++ b/packages/systemd/9004-core-add-separate-timeout-for-system-shutdown.patch @@ -1,7 +1,7 @@ -From 4d11f5d502ca4a61c491681cdfd99ebe24e3f58c Mon Sep 17 00:00:00 2001 +From 2feddea6cbee14216e26a4312f5cb0e546a472ff Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Tue, 10 Mar 2020 20:30:10 +0000 -Subject: [PATCH 9004/9004] core: add separate timeout for system shutdown +Subject: [PATCH 9004/9005] core: add separate timeout for system shutdown There is an existing setting for this (DefaultTimeoutStopUSec), but changing it has no effect because `reset_arguments()` is called just @@ -19,7 +19,7 @@ Signed-off-by: Ben Cressey 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/basic/def.h b/src/basic/def.h -index 970654a..b02f6f0 100644 +index 970654a..9251bb9 100644 --- a/src/basic/def.h +++ b/src/basic/def.h @@ -13,6 +13,9 @@ @@ -33,7 +33,7 @@ index 970654a..b02f6f0 100644 #define DEFAULT_UNIX_MAX_DGRAM_QLEN 512UL diff --git a/src/core/main.c b/src/core/main.c -index c24b696..8ffa09f 100644 +index 3c6b66e..f2e9776 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -114,6 +114,7 @@ static ExecOutput arg_default_std_error; @@ -44,7 +44,7 @@ index c24b696..8ffa09f 100644 static usec_t arg_default_timeout_abort_usec; static bool arg_default_timeout_abort_set; static usec_t arg_default_start_limit_interval; -@@ -1389,7 +1390,7 @@ static int become_shutdown( +@@ -1398,7 +1399,7 @@ static int become_shutdown( env_block = strv_copy(environ); xsprintf(log_level, "%d", log_get_max_level()); @@ -53,7 +53,7 @@ index c24b696..8ffa09f 100644 switch (log_get_target()) { -@@ -2124,6 +2125,7 @@ static void reset_arguments(void) { +@@ -2151,6 +2152,7 @@ static void reset_arguments(void) { arg_default_restart_usec = DEFAULT_RESTART_USEC; arg_default_timeout_start_usec = DEFAULT_TIMEOUT_USEC; arg_default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC; diff --git a/packages/systemd/9005-repart-always-use-random-UUIDs.patch b/packages/systemd/9005-repart-always-use-random-UUIDs.patch new file mode 100644 index 00000000000..e8ccd498112 --- /dev/null +++ b/packages/systemd/9005-repart-always-use-random-UUIDs.patch @@ -0,0 +1,178 @@ +From b96a0d9b2449719a7152f4b3c2871fd3b18a8ebf Mon Sep 17 00:00:00 2001 +From: Ben Cressey +Date: Thu, 16 Apr 2020 15:10:41 +0000 +Subject: [PATCH 9005/9005] repart: always use random UUIDs + +We would like to avoid adding OpenSSL to the base OS, and for our use +case we do not need the UUIDs assigned to disks or partitions to be +reproducible. + +The upstream implementation keys off machine ID, and we will almost +always be resizing the local data partition on first boot, when the +machine ID will be freshly generated and therefore also random. + +This takes the fallback case of generating a random UUID in the event +of a collision and makes it the default behavior for both partition +and disk UUIDs. + +Signed-off-by: Ben Cressey +--- + meson.build | 3 +- + src/partition/repart.c | 101 ++++++----------------------------------- + 2 files changed, 14 insertions(+), 90 deletions(-) + +diff --git a/meson.build b/meson.build +index fc216d2..eb28daa 100644 +--- a/meson.build ++++ b/meson.build +@@ -1305,8 +1305,7 @@ substs.set('DEFAULT_DNS_OVER_TLS_MODE', default_dns_over_tls) + + want_repart = get_option('repart') + if want_repart != 'false' +- have = (conf.get('HAVE_OPENSSL') == 1 and +- conf.get('HAVE_LIBFDISK') == 1) ++ have = (conf.get('HAVE_LIBFDISK') == 1) + if want_repart == 'true' and not have + error('repart support was requested, but dependencies are not available') + endif +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 3e52f26..93f6834 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -13,9 +13,6 @@ + #include + #include + +-#include +-#include +- + #include "sd-id128.h" + + #include "alloc-util.h" +@@ -1143,26 +1140,18 @@ static int fdisk_set_disklabel_id_by_uuid(struct fdisk_context *c, sd_id128_t id + #define DISK_UUID_TOKEN "disk-uuid" + + static int disk_acquire_uuid(Context *context, sd_id128_t *ret) { +- union { +- unsigned char md[SHA256_DIGEST_LENGTH]; +- sd_id128_t id; +- } result; ++ sd_id128_t id; ++ int r; + + assert(context); + assert(ret); + +- /* Calculate the HMAC-SHA256 of the string "disk-uuid", keyed off the machine ID. We use the machine +- * ID as key (and not as cleartext!) since it's the machine ID we don't want to leak. */ +- +- if (!HMAC(EVP_sha256(), +- &context->seed, sizeof(context->seed), +- (const unsigned char*) DISK_UUID_TOKEN, strlen(DISK_UUID_TOKEN), +- result.md, NULL)) +- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "HMAC-SHA256 calculation failed."); ++ /* Calculate a random UUID for the indicated disk. */ ++ r = sd_id128_randomize(&id); ++ if (r < 0) ++ return log_error_errno(r, "Failed to generate randomized UUID: %m"); + +- /* Take the first half, mark it as v4 UUID */ +- assert_cc(sizeof(result.md) == sizeof(result.id) * 2); +- *ret = id128_make_v4_uuid(result.id); ++ *ret = id; + return 0; + } + +@@ -2073,83 +2062,19 @@ static int context_wipe_and_discard(Context *context, bool from_scratch) { + } + + static int partition_acquire_uuid(Context *context, Partition *p, sd_id128_t *ret) { +- struct { +- sd_id128_t type_uuid; +- uint64_t counter; +- } _packed_ plaintext = {}; +- union { +- unsigned char md[SHA256_DIGEST_LENGTH]; +- sd_id128_t id; +- } result; +- +- uint64_t k = 0; +- Partition *q; ++ sd_id128_t id; + int r; + + assert(context); + assert(p); + assert(ret); + +- /* Calculate a good UUID for the indicated partition. We want a certain degree of reproducibility, +- * hence we won't generate the UUIDs randomly. Instead we use a cryptographic hash (precisely: +- * HMAC-SHA256) to derive them from a single seed. The seed is generally the machine ID of the +- * installation we are processing, but if random behaviour is desired can be random, too. We use the +- * seed value as key for the HMAC (since the machine ID is something we generally don't want to leak) +- * and the partition type as plaintext. The partition type is suffixed with a counter (only for the +- * second and later partition of the same type) if we have more than one partition of the same +- * time. Or in other words: +- * +- * With: +- * SEED := /etc/machine-id +- * +- * If first partition instance of type TYPE_UUID: +- * PARTITION_UUID := HMAC-SHA256(SEED, TYPE_UUID) +- * +- * For all later partition instances of type TYPE_UUID with INSTANCE being the LE64 encoded instance number: +- * PARTITION_UUID := HMAC-SHA256(SEED, TYPE_UUID || INSTANCE) +- */ +- +- LIST_FOREACH(partitions, q, context->partitions) { +- if (p == q) +- break; +- +- if (!sd_id128_equal(p->type_uuid, q->type_uuid)) +- continue; +- +- k++; +- } +- +- plaintext.type_uuid = p->type_uuid; +- plaintext.counter = htole64(k); +- +- if (!HMAC(EVP_sha256(), +- &context->seed, sizeof(context->seed), +- (const unsigned char*) &plaintext, k == 0 ? sizeof(sd_id128_t) : sizeof(plaintext), +- result.md, NULL)) +- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "SHA256 calculation failed."); +- +- /* Take the first half, mark it as v4 UUID */ +- assert_cc(sizeof(result.md) == sizeof(result.id) * 2); +- result.id = id128_make_v4_uuid(result.id); +- +- /* Ensure this partition UUID is actually unique, and there's no remaining partition from an earlier run? */ +- LIST_FOREACH(partitions, q, context->partitions) { +- if (p == q) +- continue; +- +- if (sd_id128_equal(q->current_uuid, result.id) || +- sd_id128_equal(q->new_uuid, result.id)) { +- log_warning("Partition UUID calculated from seed for partition %" PRIu64 " exists already, reverting to randomized UUID.", p->partno); +- +- r = sd_id128_randomize(&result.id); +- if (r < 0) +- return log_error_errno(r, "Failed to generate randomized UUID: %m"); +- +- break; +- } +- } ++ /* Calculate a random UUID for the indicated partition. */ ++ r = sd_id128_randomize(&id); ++ if (r < 0) ++ return log_error_errno(r, "Failed to generate randomized UUID: %m"); + +- *ret = result.id; ++ *ret = id; + return 0; + } + +-- +2.21.0 + diff --git a/packages/systemd/Cargo.toml b/packages/systemd/Cargo.toml index 2ad2ffd20db..6e081073368 100644 --- a/packages/systemd/Cargo.toml +++ b/packages/systemd/Cargo.toml @@ -9,8 +9,8 @@ build = "build.rs" path = "pkg.rs" [[package.metadata.build-package.external-files]] -url = "https://github.com/systemd/systemd/archive/v244/systemd-244.tar.gz" -sha512 = "08f260fb15b5eb273faafda826dd9154e9a02841b4c5911cc1c7e1445072ad51389f8cced7b9acf112737c20fd56b2fbf48b3f914733c934c774d38a23b616fb" +url = "https://github.com/systemd/systemd/archive/v245/systemd-245.tar.gz" +sha512 = "1b80d0e02472dfc4197f11dab4f56cf90e8a6e105ce19f837cb11335b6d8577ed49031dad94cdb41aa9bdc06ec8eec62c8e9246272b83935e7bb9dcd3cd8c012" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/systemd/systemd.spec b/packages/systemd/systemd.spec index c7b132ee3a5..3f5cf2775dc 100644 --- a/packages/systemd/systemd.spec +++ b/packages/systemd/systemd.spec @@ -2,7 +2,7 @@ %global _cross_allow_rpath 1 Name: %{_cross_os}systemd -Version: 244 +Version: 245 Release: 1%{?dist} Summary: System and Service Manager License: GPL-2.0-or-later AND GPL-2.0-only AND LGPL-2.1-or-later @@ -11,15 +11,22 @@ Source0: https://github.com/systemd/systemd/archive/v%{version}/systemd-%{versio Source1: run-tmpfiles.conf Source2: systemd-modules-load.conf -# Local changes. +# Local patches that can be dropped when we have an SELinux policy that +# limits access to system files on the data volume. Patch9001: 9001-move-stateful-paths-to-ephemeral-storage.patch Patch9002: 9002-do-not-create-unused-state-directories.patch + +# Local patch to work around the fact that /var is a bind mount from +# /local/var, and we want the /local/var/run symlink to point to /run. Patch9003: 9003-use-absolute-path-for-var-run-symlink.patch # TODO: this could potentially be submitted upstream, but needs a better # way to be configured at build time or during execution first. Patch9004: 9004-core-add-separate-timeout-for-system-shutdown.patch +# Local patch to avoid an OpenSSL dependency that's otherwise not needed. +Patch9005: 9005-repart-always-use-random-UUIDs.patch + BuildRequires: gperf BuildRequires: intltool BuildRequires: meson @@ -29,6 +36,7 @@ BuildRequires: %{_cross_os}libacl-devel BuildRequires: %{_cross_os}libattr-devel BuildRequires: %{_cross_os}libblkid-devel BuildRequires: %{_cross_os}libcap-devel +BuildRequires: %{_cross_os}libfdisk-devel BuildRequires: %{_cross_os}libmount-devel BuildRequires: %{_cross_os}libseccomp-devel BuildRequires: %{_cross_os}libselinux-devel @@ -39,6 +47,7 @@ Requires: %{_cross_os}libacl Requires: %{_cross_os}libattr Requires: %{_cross_os}libblkid Requires: %{_cross_os}libcap +Requires: %{_cross_os}libfdisk Requires: %{_cross_os}libmount Requires: %{_cross_os}libseccomp Requires: %{_cross_os}libselinux @@ -86,12 +95,16 @@ CONFIGURE_OPTS=( -Dtpm=false -Denvironment-d=false -Dbinfmt=false + -Drepart=true -Dcoredump=false + -Dpstore=true -Dlogind=false -Dhostnamed=false -Dlocaled=false -Dmachined=false -Dportabled=false + -Duserdb=false + -Dhomed=false -Dnetworkd=false -Dtimedated=false -Dtimesyncd=false @@ -129,8 +142,10 @@ CONFIGURE_OPTS=( -Dacl=true -Daudit=false -Dblkid=true + -Dfdisk=true -Dkmod=true -Dpam=false + -Dpwquality=false -Dmicrohttpd=false -Dlibcryptsetup=false -Dlibcurl=false @@ -142,6 +157,7 @@ CONFIGURE_OPTS=( -Dgcrypt=false -Dgnutls=false -Dopenssl=false + -Dp11kit=false -Delfutils=false -Dzlib=false -Dbzip2=false @@ -201,6 +217,7 @@ rm -f %{buildroot}%{_cross_libdir}/systemd/network/* %{_cross_bindir}/systemd-notify %{_cross_bindir}/systemd-nspawn %{_cross_bindir}/systemd-path +%{_cross_bindir}/systemd-repart %{_cross_bindir}/systemd-run %{_cross_bindir}/systemd-socket-activate %{_cross_bindir}/systemd-stdio-bridge From 46f1f97dcd23680e284758dbedba399eb44acc46 Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Mon, 20 Apr 2020 16:59:02 +0000 Subject: [PATCH 4/6] systemd: relocate more files to console package Features related to passwords and emergency debugging assume that an interactive shell will be present for use on the console. Variants that do not include a shell also do not need the related files. The new sulogin helper enables the single-user login shell to work as expected for development and debugging purposes. Signed-off-by: Ben Cressey --- packages/login/login.spec | 4 ++++ packages/systemd/systemd.spec | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/packages/login/login.spec b/packages/login/login.spec index c825e9fca53..051fd7284cf 100644 --- a/packages/login/login.spec +++ b/packages/login/login.spec @@ -21,7 +21,11 @@ Requires: %{_cross_os}systemd-console install -d %{buildroot}%{_cross_bindir} install -p -m 0755 %{S:0} %{buildroot}%{_cross_bindir}/login +install -d %{buildroot}%{_cross_sbindir} +ln -s ../bin/login %{buildroot}%{_cross_sbindir}/sulogin + %files %{_cross_bindir}/login +%{_cross_sbindir}/sulogin %changelog diff --git a/packages/systemd/systemd.spec b/packages/systemd/systemd.spec index 3f5cf2775dc..f922ca5037e 100644 --- a/packages/systemd/systemd.spec +++ b/packages/systemd/systemd.spec @@ -276,18 +276,48 @@ rm -f %{buildroot}%{_cross_libdir}/systemd/network/* %exclude %{_cross_localstatedir}/log/README %exclude %{_cross_rundir} +%exclude %{_cross_bindir}/systemd-ask-password +%exclude %{_cross_bindir}/systemd-tty-ask-password-agent +%exclude %{_cross_libdir}/systemd/systemd-sulogin-shell +%exclude %{_cross_libdir}/systemd/systemd-reply-password +%exclude %{_cross_systemdgeneratordir}/systemd-debug-generator %exclude %{_cross_systemdgeneratordir}/systemd-getty-generator %exclude %{_cross_unitdir}/console-getty.service %exclude %{_cross_unitdir}/container-getty@.service +%exclude %{_cross_unitdir}/debug-shell.service +%exclude %{_cross_unitdir}/emergency.service +%exclude %{_cross_unitdir}/emergency.target %exclude %{_cross_unitdir}/getty@.service +%exclude %{_cross_unitdir}/rescue.service +%exclude %{_cross_unitdir}/rescue.target %exclude %{_cross_unitdir}/serial-getty@.service +%exclude %{_cross_unitdir}/systemd-ask-password-console.service +%exclude %{_cross_unitdir}/systemd-ask-password-console.path +%exclude %{_cross_unitdir}/systemd-ask-password-wall.path +%exclude %{_cross_unitdir}/sysinit.target.wants/systemd-ask-password-console.path +%exclude %{_cross_unitdir}/multi-user.target.wants/systemd-ask-password-wall.path %files console +%{_cross_bindir}/systemd-ask-password +%{_cross_bindir}/systemd-tty-ask-password-agent +%{_cross_libdir}/systemd/systemd-sulogin-shell +%{_cross_libdir}/systemd/systemd-reply-password +%{_cross_systemdgeneratordir}/systemd-debug-generator %{_cross_systemdgeneratordir}/systemd-getty-generator %{_cross_unitdir}/console-getty.service %{_cross_unitdir}/container-getty@.service +%{_cross_unitdir}/debug-shell.service +%{_cross_unitdir}/emergency.service +%{_cross_unitdir}/emergency.target %{_cross_unitdir}/getty@.service +%{_cross_unitdir}/rescue.service +%{_cross_unitdir}/rescue.target %{_cross_unitdir}/serial-getty@.service +%{_cross_unitdir}/systemd-ask-password-console.service +%{_cross_unitdir}/systemd-ask-password-console.path +%{_cross_unitdir}/systemd-ask-password-wall.path +%{_cross_unitdir}/sysinit.target.wants/systemd-ask-password-console.path +%{_cross_unitdir}/multi-user.target.wants/systemd-ask-password-wall.path %files devel %{_cross_libdir}/libsystemd.so From 94e2aed389158d9da6814dbe7d59035caed8fd8b Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Thu, 16 Apr 2020 15:41:03 +0000 Subject: [PATCH 5/6] build: add partition type UUID for local data image This allows tools to find the partition by UUID as well as by label. Signed-off-by: Ben Cressey --- tools/rpm2img | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/rpm2img b/tools/rpm2img index 07ad392d321..4e391c2b281 100755 --- a/tools/rpm2img +++ b/tools/rpm2img @@ -52,6 +52,7 @@ BOTTLEROCKET_ROOT_TYPECODE="5526016a-1a97-4ea4-b39a-b7c8c6ca4502" BOTTLEROCKET_HASH_TYPECODE="598f10af-c955-4456-6a99-7720068a6cea" BOTTLEROCKET_RESERVED_TYPECODE="0c5d99a5-d331-4147-baef-08e2b855bdc9" BOTTLEROCKET_PRIVATE_TYPECODE="440408bb-eb0b-4328-a6e5-a29038fad706" +BOTTLEROCKET_DATA_TYPECODE="626f7474-6c65-6474-6861-726d61726b73" if [[ "${ARCH}" == "x86_64" ]]; then FIRM_NAME="BIOS-BOOT" @@ -187,7 +188,7 @@ dd if="${PRIVATE_IMAGE}" of="${DISK_IMAGE}" conv=notrunc bs=1M seek=2005 # BOTTLEROCKET-DATA truncate -s 1G "${DATA_IMAGE}" sgdisk --clear \ - -n 0:1M:1023M -c 0:"BOTTLEROCKET-DATA" -t 0:8300 \ + -n 0:1M:1023M -c 0:"BOTTLEROCKET-DATA" -t 0:"${BOTTLEROCKET_DATA_TYPECODE}" \ --sort --print "${DATA_IMAGE}" # If we build on a host with SELinux enabled, we could end up with labels that # do not match our policy. Since we allow replacing the data volume at runtime, From 928db81443d22f7fcf06db4d0314f4e20e6c2f0e Mon Sep 17 00:00:00 2001 From: Ben Cressey Date: Fri, 17 Apr 2020 18:14:34 +0000 Subject: [PATCH 6/6] release: set RemainAfterExit=yes for prepare-local This fixes a potential upgrade issue for systemd 245, where oneshots should have RemainAfterExit=yes so that they are not started again after they exit successfully. Signed-off-by: Ben Cressey --- packages/release/prepare-local.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/release/prepare-local.service b/packages/release/prepare-local.service index 6173bda96c2..d9f2a2315c0 100644 --- a/packages/release/prepare-local.service +++ b/packages/release/prepare-local.service @@ -38,7 +38,7 @@ ExecStart=/usr/bin/mount \ ExecStart=/usr/lib/systemd/systemd-growfs ${LOCAL_DIR} ExecStart=/usr/bin/mkdir -p ${LOCAL_DIR}/var ${LOCAL_DIR}/opt -RemainAfterExit=false +RemainAfterExit=true StandardError=journal+console [Install]